Prevent browser from executing javascript in console and in address url
680 views
Skip to first unread message
Morag Hadad
May 27, 2018, 7:00:31 PM5/27/18
to Chromium-dev
HI Guys,
I'm trying to create a secure chrome browser that doesn't allow anyone to execute javascript from console devtools.
While dealing with devtools, i can completely disable it and therefore no one will have access to the console tab of it.
Still, they can type "javascript:" in address bar and execute any javascript they want.
Any idea how to disable it?
Thanks,
Morag
PhistucK
May 28, 2018, 2:18:27 AM5/28/18
to Morag Hadad, Chromium-dev
Note that Morag does not want to change code.
☆PhistucK
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/b47b6308-a905-4d34-b429-43ce694ada75%40chromium.org.
sacib
May 28, 2018, 3:29:29 AM5/28/18
to morag...@gmail.com, Chromium-dev
Hi,
Please pardon me for asking: But why are you creating a browser? Why not an extension? There's one for Firefox - Noscript.
--
Drew Wilson
May 28, 2018, 4:12:56 AM5/28/18
to morag...@gmail.com, Chromium-dev
I don't understand the use case - you are trying to prevent the user themselves from injecting Javascript? So I guess your browser won't allow extensions with content scripts, or MITM proxies, or HTTP connections? Or are you saying you already fully control the environment the browser runs in (on a managed machine, on a managed network, with extensions disabled) and just specifically are looking for an enterprise policy that might block bookmarklets?
Maybe you can use the URLBlacklist policy to blacklist javascript:// URLs, but not sure if that'll work in all contexts. Worth a try, though.
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
Morag Hadad
May 28, 2018, 4:28:50 AM5/28/18
to Chromium-dev, morag...@gmail.com
Hi,
By "creating" i meant that the browser will be in our control, i don't want to create our own instance of chromium unless it is necessary.
plug-in and extension is something i thought about, if you are familiar with one that exist in chrome it will be great if you can share.
I can also create an extension in chrome, but i'm not sure how to disable the option to execute JS from address bar in the extension, any idea here?
Hope it makes more sense now.
בתאריך יום שני, 28 במאי 2018 בשעה 10:29:29 UTC+3, מאת Sakib A:
By "creating" i meant that the browser will be in our control, i don't want to create our own instance of chromium unless it is necessary.
plug-in and extension is something i thought about, if you are familiar with one that exist in chrome it will be great if you can share.
I can also create an extension in chrome, but i'm not sure how to disable the option to execute JS from address bar in the extension, any idea here?
Hope it makes more sense now.
בתאריך יום שני, 28 במאי 2018 בשעה 10:29:29 UTC+3, מאת Sakib A:
Morag Hadad
May 28, 2018, 4:44:43 AM5/28/18
to Chromium-dev, morag...@gmail.com
sorry for the confusion.
You are right, i meant that i have a full control over the browser in a managed secured machine, not necessarily with extension disabled, but we'll prevent user for creating one on there own.
Meaning that the browser configuration won't be in their control but only the UI it self, meaning that they can still write javascript: in address bar and inject whatever they want, i want to prevent this option.
I was thinking on extension or some sort of javscript injection that will block this option, not sure if it possible this way.
I already tried to block the url with the following patterns with no success "javascript://*/*" or "*javascript*" or "javascript:*//*/*" but it didn't work, so i'm sure if the pattern is wrong or just that it doesn't work with javascript as scheme
בתאריך יום שני, 28 במאי 2018 בשעה 11:12:56 UTC+3, מאת Drew Wilson:
You are right, i meant that i have a full control over the browser in a managed secured machine, not necessarily with extension disabled, but we'll prevent user for creating one on there own.
Meaning that the browser configuration won't be in their control but only the UI it self, meaning that they can still write javascript: in address bar and inject whatever they want, i want to prevent this option.
I was thinking on extension or some sort of javscript injection that will block this option, not sure if it possible this way.
I already tried to block the url with the following patterns with no success "javascript://*/*" or "*javascript*" or "javascript:*//*/*" but it didn't work, so i'm sure if the pattern is wrong or just that it doesn't work with javascript as scheme
בתאריך יום שני, 28 במאי 2018 בשעה 11:12:56 UTC+3, מאת Drew Wilson:
Drew Wilson
May 28, 2018, 4:52:36 AM5/28/18
to morag...@gmail.com, Chromium-dev
Interesting. I'd expect that blocking javascript:* would work. Looks like maybe Javascript injection via the omnibar doesn't actually trigger a navigation so doesn't hit our URL blocking code.
Anyone know what codepath Javascript injection goes through? We can see if we can filter that path as well.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/5302b675-48a8-4290-a8c8-f97b2cc0e44b%40chromium.org.
Reply all
Reply to author
Forward
0 new messages